Cloud Security

Cloud Security can be complex to understand. The best way to think about it is as you would about a safe. There are varying different products which range from something that will open if you drop it, up to a bank vault. There are many different types of cloud services. For example these range from consumer services such as Google Drive/Apps and Dropbox, to business solutions such as hosted desktops and infrastructure as a service. A large risk companies have at the moment is if staff starts to use the consumer services for businesses purposes as the company will then lose all control over the data held in these services and it will become a huge security risk. This is normally caused by companies failing to keep up with the new technologies available which allow members of staff to work in the most efficient way. In order to discuss Cloud security I will talk about the general areas which affect cloud services and some ways to mitigate the risk. The Wikipedia article on Cloud security (http://en.wikipedia.org/wiki/Cloud_computing_security) breaks down the risks of Cloud Security into the following sections which I will discuss. Identity management: The first issue that arises from cloud services is Identity management. This will normally entail how usernames and passwords are controlled. There are many options on how to implement this between your organization and a cloud service. A good cloud provider should work with you on implementing how this will work. However they should only ever implement something as secure, if not more secure than what is currently being used. A simple thing to look out for will be what their password requirements are. If they allow you to have password of password1 it is unlikely the rest of their system will be very secure. Physical and personnel security: The next issue of security is how secure their hardware is where your data will be stored. The best way to find this out is to ask for a visit to see the provider’s system where your data will be held. You should look for things like a secure fence around the building. Expect to have to go through security checkpoints provide ID and be escorted around the building at all times. Ask yourself the question how easy would it be for someone to break in and access the systems if they had malicious intent. On top of this the people who have access to the systems should be limited and documented so it is known who has access and when they have. It is also important to know where your data is being held to be compliant with things such as the data protection act. There are many companies which will store your data all over the world in order to reduce costs. Availability: Any cloud provider should be able to guarantee a certain level of availability to your systems in a secure way. The best way to ensure this is to make sure you have an approved SLA (Service Level Agreement) in your contract with the provider and ensure that if it is not met there are penalties for the provider. A service level agreement is a document used to define the level of uptime, how long support requests should take to be answered/completed and various other things which define the quality of service expected. Application security: Application security is very important in a cloud environment. A cloud provider should work with you on rolling out any software that is required to your environment. This should go through testing and be approved by the provider before being rolled out. A cloud provider should work with you on application deployment and should in some situations tell you no this application cannot be deployed. Of course they should then work with you on finding an alternative piece of software which is secure. Privacy: This involves how access to your private data is controlled. This can be credit card details or passwords. The best way I have found to test this is to say you have forgotten your password. If they are able to tell you what your password is then their system is not secure. A forgotten password should always be reset to a new one. This is because there should never be a way to find out what someone’s password is. Passwords should always be stored with one way encryption so should not be able to be found out. Another warning sign is if they ask you for your password when providing support. A good provider will never ask for your password, but reset it to something while they need access and get you to change it as soon as they are finished. Business continuity and data recovery: This is the process which a cloud provider should have in place in the event that a disaster happens. The process should be documented with times until the system is back up and running documented. It should be tested regularly, a minimum of once every 6 months or after any change to the infrastructure. Ask to see a provider’s disaster recovery plan and when it was last tested. Logs and audit trails: The final thing to check is to ensure there is adequate logging and audit trails of access are kept for as long as needed and secured properly. A cloud provider should work with you to define these. There are many different aspects of cloud security but hopefully this has given you some tips of what to look out for.